Radiolocation using path loss data

ABSTRACT

Determining the location of a station or potential rogue access point in a wireless network including accepting an ideal path loss model and calibrating the ideal model using path loss measurements between access points at known locations. The calibrating determines a calibrated path loss model between the access points. The method further includes determining path losses between the wireless station of unknown location and at least some of the access points. In the case the wireless station is a client station, the determining includes receiving measurements from the wireless station of unknown location measuring the received signal strengths as a result of respective transmissions from at least some of the access points at known respective transmit powers. In the case the wireless station is an potential rogue access point, the determining includes receiving measurements from at least some of the access points measuring the received signal strength at each of the access points resulting from transmission by the potential rogue access point for each of a set of assumed transmit powers for the potential rogue. The method further includes determining the likely location or locations of the wireless station using the measured path loss and the calibrated path loss model.

RELATED PATENT APPLICATIONS

The present application is a continuation of U.S. patent applicationSer. No. 10/629,384 filed on Jul. 28, 2003 now U.S. Pat. No. 6,990,428titled RADIOLOCATION USING PATH LOSS DATA. The contents of U.S. patentapplication Ser. No. 10/629,384 are incorporated herein by reference.

The present application is related to U.S. Provisional PatentApplication Ser. No. 60/490,847 S/N titled “A METHOD, APPARATUS, ANDSOFTWARE PRODUCT FOR DETECTING ROGUE ACCESS POINTS IN A WIRELESSNETWORK” to inventors Tolson, et al., assigned to the assignee of thepresent invention, and incorporated herein by reference.

BACKGROUND

The present invention is related to wireless networks, and in particularto determining the location of wireless stations in a wireless network.

Use of wireless networks such as wireless local area networks (WLANs) isbecoming widespread. Locating radios in a wireless communication systemsuch as a WLAN enables new and enhanced features, such as location-basedservices and location-aware management. Location-based services include,for example, assigning the correct, e.g., closest printer to a wirelessstation of a WLAN.

A WLAN may be ad hoc, in that any station may communicate directly withany other station, or have an infrastructure in which a station (calleda “client station” or simply a “client”) can only communicate via anaccess point (AP)—a station that acts as a base station for a set ofclients. The access point is typically coupled to other networks thatmay be wired or wireless, e.g., to the Internet or to an intranet. Thatwider network is called the “wired” network herein, and it is to beunderstood that this wired network may be an internetwork that includesother wireless networks.

WLAN management applications of radiolocation include the location ofclient stations and the location of rogue access points. See forexample, concurrently filed incorporated-by-reference U.S. ProvisionalPatent application Ser. No. 60/490,847 titled “A METHOD, APPARATUS, ANDSOFTWARE PRODUCT FOR DETECTING ROGUE ACCESS POINTS IN A WIRELESSNETWORK” to inventors Olson, et al., for more details of the latterapplication and how radiolocation may be used to aid rogue access pointdetection.

A number of techniques have been proposed for radiolocation. Prior artmethods are known that rely on the Global Positioning System (GPS). GPS,however, is known to have poor indoor reception and long acquisitiontime. GPS also requires additional GPS hardware in the wireless stationthat would increase the cost of stations, e.g., client devices.

Prior art methods also are known that rely on time difference of arrival(TDOA) estimation. Such methods require relatively precise timesynchronization at each station, which in turn requires non-standardhardware that differs from that in today's WLAN stations, e.g., stationsthat conform to the IEEE 802.11 standard.

Prior art methods also are known for WLANs that use signal strengthmeasurements using existing mobile station hardware. Such methods,however, require training that in turn requires taking time-consumingsignal strength measurements at numerous locations by a cooperativemobile client station.

A prior art method also is known for WLANs that uses RF modeling. Themodeling, however, requires detailed input of building layout, walllocation, and construction materials.

Thus, there is a need for a method for radiolocation using availablesignal strength measurements at wireless stations that does needadditional hardware in addition to regular radio hardware, and thatrequires relatively little training. There further is a need for aradiolocation method wherein the training can be accomplishedautomatically by each infrastructure access point.

SUMMARY

Disclosed herein is a method, apparatus, and software product forradiolocation using measurements at wireless stations of a wirelessnetwork that requires relatively little “training,” e.g., relativelylittle calibrating. The invention is particularly useful in WLANapplications. One aspect of the invention is that the training can beaccomplished automatically by each access point collecting signalstrength measurements to/from other detectable access points. In oneWLAN embodiment, the training measurements may be the same as thosecollected by each access point to drive other features, such as manageddeployment.

Thus, disclosed herein is a method, an apparatus, and a carrier mediumto determine the location of a wireless station of a wireless network.The wireless station may be a client station or a potential rogue accesspoint. The method includes accepting an ideal path loss model andcalibrating the ideal path loss model using path loss measurementsbetween a first set and a second set of wireless stations of thewireless network in an area of interest. The stations of the first andsecond sets are at known locations. The path loss measurements areobtained using measurements received from the first set of wirelessstations that measure the received signal strengths at each of therespective wireless station of the first set as a result oftransmissions by each wireless station of the second set of wirelessstations of the wireless network. Each transmission by a respectivestation of the second set is at a known respective transmit power. Inone embodiment, the first and second sets are identical, and are a setof managed access points of a managed wireless network located in thearea of interest. The calibrating determines a calibrated path lossmodel between the access points. By a managed access point is meant anaccess points at a known location whose transmit power is known andwhose received signal strength is measurable.

The method further includes measuring the path loss between the wirelessstation of an unknown location and at least some of the managed accesspoints.

In the case the wireless station is a client station of one of themanaged access points, the measuring includes receiving measurementsfrom the client station measuring the received signal strength as aresult of respective transmissions from at least some of the accesspoints, each of the respective transmissions being at a knowncorresponding transmit power.

In the case the wireless station is a potential rogue access point, themeasuring includes receiving measurements from at least some of theaccess points of the wireless network measuring the received signalstrength at each of these access points resulting from transmission of asignal from the potential rogue access point for each of a set ofassumed transmit powers for the potential rogue access point. The methodfurther includes determining the likely location or locations of thewireless station using the measured path loss and the calibrated pathloss model.

A variant for radiolocating a potential rogue uses signals received atone or more client stations. The client stations are first located usingthe radiolocation method.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows one example of a network in which the present inventionoperates, including a management entity called the WLAN manager.

FIG. 2 shows a simple block diagram of one embodiment of a wirelessstation that may be an AP or a client station and that implements one ormore aspects of the invention.

FIG. 3A shows one user interface that includes a graphic overlay of agrid of area elements, in this embodiment each a small square region.

FIG. 3B shows another user interface that includes a grid, arepresentation indicating the location of the managed APs, and a graphicoverlay representing an architectural plan of a floor of a building.

FIG. 4 shows a flowchart of one embodiment 400 of a method to determinethe location of a client station that receives signals from managed APswhose location is known.

FIG. 5 shows an area of interest with three managed APs as an exampleillustrating the calibration aspect of the invention.

FIG. 6A shows the inclusive likelihood function used in one embodimentof the invention.

FIG. 6B shows one embodiment of an exclusive likelihood functionaccording to an aspect of the invention.

FIG. 7 shows the user interface of FIG. 3B that includes locationcontours obtained using only inclusive likelihood function componentsaccording to one aspect of the invention.

FIG. 8 shows the user interface of FIG. 3B that includes locationcontours obtained using only both inclusive and exclusive likelihoodfunction components according to one aspect of the invention.

FIG. 9 shows one embodiment of a method of locating a potential rogueaccess point using signals—beacons or probe responses—received at one ormore managed access points whose location is known.

FIGS. 10A, 10B, and 10C show three displays of the results of the methodshown in FIG. 9 for a rogue AP transmitting at a transmit power of 5 mWfor a set of three assumed rogue transmit powers: 2 mW, 5 mW, and 20 mW,respectively.

FIG. 11 shows one embodiment of a method of locating a potential rogueaccess point using signals—beacons or probe responses—received at one ormore managed access points whose location is known and at one or moremanaged client stations whose location is determined according to themethod shown in FIG. 4.

DETAILED DESCRIPTION

One embodiment of the present invention is a method of determining thelikely location or locations of a receiving wireless station usingsignal strength measurements of signals from one or more transmittingstations whose transmitting power is known to provide path lossmeasurements. The path loss measurements are used together withpredicted path losses at a set of locations as predicted by a calibratedpath loss model that uses an ideal path loss model modified by arelatively small set of measurements based on transmitting and receivingat a relatively small set of known locations.

Another embodiment of the invention is a method of locating atransmitter transmitting at an unknown power level. Such a transmittermay be a rogue AP. The transmissions are received at one or morestations whose locations are known or estimated.

The Managed Wireless Network and Radio Measurements

One embodiment of the invention operates in a managed wireless networkin which the APs and their clients are managed by a central managemententity. One embodiment of the managed wireless network substantiallyconforms to the IEEE 802.11 standard. By substantially conforming wemean compatible with. Some aspects of the IEEE 802.11 standard aremodified slightly to accommodate some management aspects used in theinvention. In particular, for some aspects of the invention, additionalMAC frames are assumed. Furthermore, stations of the network measure thereceived signal strength relatively accurately.

Depending on the size and complexity, a managed network is either a setof APs with a central control entity, or a hierarchical structure with aset of hierarchical control domains that eventually are coupled to a setof APs. Each control domain is managed by a management entity we call amanager herein. The number of levels in the hierarchy depends on thecomplexity and/or size of the network, and thus not all managed networkshave all levels of control. For example, a simple managed network mayonly have one level of control with a single management entitycontrolling all the APs. Factors that influence the selection of controldomains include one or more of: the various types of IP subnetconfigurations; the radio proximity of the access points; the clientstation roaming patterns; the real time roaming requirements; and thephysical constraints of the network (e.g. campus, building, and soforth.).

In this description, we assume a single management entity we call theWLAN Manager. Management entities we called Subnet Context Managers maybe included, each controlling some aspects of a single subnet or virtuallocal area network (VLAN). A Subnet Context Manager, for example, mayrelay instructions from the WLAN manager to all managed APs in itssubset or VLAN. In some embodiments, the functions of the subnet contextmanager are carried out at a higher level, e.g., at the same level asthe WLAN Manager. Other embodiments may have a different number oflevels in the hierarchy with different levels of management. Forexample, in some embodiments, the functions of the subnet contextmanager are carried out at a higher level, e.g., at the same level asthe WLAN Manager. For more information on radio management, seeabove-mentioned U.S. Provisional Patent Application Ser. No. 60/490,847titled “A METHOD, APPARATUS, AND SOFTWARE PRODUCT FOR DETECTING ROGUEACCESS POINTS IN A WIRELESS NETWORK” to inventors Olson, et al.,assigned to the assignee of the present invention, and incorporatedherein by reference.

The WLAN Manager manages several aspects of the wireless network, e.g.,security, and in one embodiment, authorizes a set of access points inthe network—we call these the managed access points—includingmaintaining a database called the Configuration Database that containsconfiguration parameters. The Configuration Database also includes an APdatabase that includes information on the managed APs, e.g., a list ofthe managed APs together with some data related to these APs, such asthe location of the APs and the power the APs are set to transmit at. Asingle WLAN Manager is typically deployed to handle all the wirelessclients within the enterprise campus. The WLAN Manager providescentralized control of various aspects of the radio environment within agiven set of APs, including the measurement aspects of the presentinvention and the radiolocation aspects of the present invention. TheWLAN Manager provides the ability to determine network wide radioparameters during initial network deployment and network expansion. Inone embodiment, the WLAN Manager selects certain radio parameter valuesto provide an adequate radio environment. In one embodiment, the WLANManager further centrally coordinates all client and AP measurements.

Thus, aspects of the invention are implemented on the WLAN Manager anduse measurements made under control of the WLAN manager. However, theinvention does not require there to be a single WLAN Manager entity. Thefunctionality described herein may be incorporated into any of othermanagement entities, e.g., at a local level, or by a separate managercalled the Radio Manager that controls the radio aspects of the WLAN.Furthermore, any of these management entities may be combined with otherfunctionalities, e.g., switching, routing, and so forth.

A simple managed network is shown in FIG. 1. All managers are assumedincorporated into a single management entity—the WLAN Manager—that hasaccess to the AP Database. It is to be understood that the WLAN Managerincorporates the functions of the Radio Manager.

FIG. 1 shows a WLAN manager 103 that includes a processing system 123with one or more processors and a memory 121. The memory 121 includesinstructions that cause one or more processors of the processing system123 to implement the aspects of the present invention that areimplemented in the WLAN Manager. The WLAN manager 103 includes a networkinterface 125 for coupling to a network, typically wired. In oneembodiment, the WLAN manager is part of a network switch and operatedunder a network operating system, in this case IOS (Cisco Systems, Inc.,San Jose, Calif.).

The WLAN Manager 103 is coupled via its network interface 125 and anetwork (typically a wired network) to a set of Subnet Context Managers.One such Subnet Context Manager is shown as element 105 in FIG. 1. Allmanaged APs in a subnet register with a Subnet Context Manager. Forexample, in FIG. 1, the APs named AP1 and AP2 (107 and 109,respectively) each are part of the same subnet and have a networkconnection to Subnet Context Manager 105. Any management communicationbetween the WLAN Manager 103 and APs 107 and 109 is then via the SubnetContext Manager 105.

A client station associates with an AP. Thus, in FIG. 1, APs 107 and 109each are shown with associated clients 113, 115, and 117, 119,respectively. By a managed client we mean a client that associates witha managed AP. Thus, clients 113, 115, 117, and 119 are managed clients.

A wireless network uses management frames at the MAC layer designed,sent, and received for management purposes. For example, in a WLAN thatconforms to the IEEE 802.11 standard, an AP regularly transmits beaconframes that announce the AP's presence, i.e., advertises the AP'sservices to potential clients so that a client may associate with theAP. Similarly, a client can send a probe request frame requesting any APin its radio range to respond with a probe response frame that, in asimilar manner to a beacon frame, provides information for therequesting client (and any other radios in its radio range and able toreceive its channel) sufficient for a client to decide whether or not toassociate with the AP.

Aspects of the invention use data from and/or about beacons and proberesponses received at APs and/or client stations. The WLAN Manager 103manages the obtaining and receiving of such data. The beacons and proberesponse information is used to determine the path loss between stationsthat are at known locations.

FIG. 2 shows one embodiment of a wireless station 200 that may be an APor a client station and that implements one or more aspects of theinvention. While a wireless station such as station 200 is generallyprior art, a wireless station that includes aspects of the presentinvention, e.g., in the form of software, is not necessarily prior art.The radio part 201 includes one or more antennas 203 that are coupled toa radio transceiver 205 including an analog RF part and a digital modem.The radio part thus implements the physical layer (the PHY). The digitalmodem of PHY 201 is coupled to a MAC processor 207 that implements theMAC processing of the station. The MAC processor 207 is connected viaone or more busses, shown symbolically as a single bus subsystem 211, toa host processor 213. The host processor includes a memory subsystem,e.g., RAM and/or ROM connected to the host bus, shown here as part ofbus subsystem 211. Station 200 includes an interface 221 to a wirednetwork.

In one embodiment, the MAC processing, e.g., the IEEE 802.11 MACprotocol is implemented totally at the MAC processor 207. The Processor207 includes a memory that stored the instructions for the MAC processor207 to implement the MAC processing, and in one embodiment, some or allof the additional processing used by the present invention. The memoryis typically but not necessarily a ROM and the software is typically inthe form of firmware.

The MAC processor is controlled by the host processor 213. In oneembodiment, some of the MAC processing is implemented at the MACprocessor 207, and some is implemented at the host. In such a case, theinstructions for the host 213 to implement the host-implemented MACprocessing are stored in the memory 215. In one embodiment, some or allof the additional processing used by the present invention is alsoimplemented by the host. These instructions are shown as part 217 ofmemory.

According to one aspect of the invention, each station such as station200 maintains a database of the beacons and probe responses it receives,called a beacon database. Beacons and probe responses are stored in thedatabase under one or more circumstances, e.g., when the stationdetermines whether or not to associate with an AP, or upon request,e.g., from the WLAN manager to listen for beacons and probe responses onits serving channel (what we call a passive scan), or upon request,e.g., from the WLAN manager to temporarily mode to another channel andlisten for beacons and probe responses after sending a probe request(what we call an active scan). In the context of aspects of the presentinvention, beacons and probe responses received at the station arestored in the beacon database. We call this database the Beacon Table.As shown in FIG. 2, in one embodiment, the Beacon Table 219 is in thememory 215 of the station. Other embodiments store the Beacon Table 219outside of memory 215. A station stores the information in the beaconsand probe responses in its Beacon Table 219, and further storesadditional information about the state of the station when it receivesthe beacon.

The information stored in the beacon database 219 includes theinformation in the beacon/probe response, and, according to oneembodiment of the invention, the RSSI detected at the PHY of thereceiver of the beacon/probe response.

The components of radio management include radio measurement in managedAPs and their clients. One embodiment uses the 802.11 h proposal thatmodifies the MAC protocol by adding transmission power control (TPC) anddynamic frequency selection (DFS). TPC limits the transmitted power tothe minimum needed to reach the furthest user. DFS selects the radiochannel at an AP to minimize interference with other systems, e.g.,radar.

Another embodiment uses a protocol that differs from the presentlyproposed 802.11 protocol by providing for tasking at the AP and, inturn, at a client to autonomously make radio measurements according to aschedule. In one embodiment, the information reported includes, for eachdetected AP, information about the detection, and information about orobtained from contents of the beacon/probe response.

While the IEEE 802.11 standard specifies that a relative RSSI value bedetermined at the physical level (the PHY), one aspect of the inventionuses the fact that many modern radios include a PHY that providesrelatively accurate absolute RSSI measurements. Thus, the reportsinclude the RSSI detected at the PHY of the receiver of the receivedbeacon/probe response. In one embodiment, RSSIs detected at the PHYs areused to determine location information from path loss.

One embodiment uses a protocol we call the WLAN Manager-to-APMeasurement Protocol. According to this protocol, the WLAN Manager cansend a message we call a Measurement Request Message to, and receivesreport messages we call Measurement Report Messages from one or moremanaged APs, either directly, or via one or more Subnet ContextManagers. The messages can be encapsulated in Ethernet frames orUDP/TCI/IP packets. In one embodiment, Ethernet is used between a SubnetContext Manager and an AP, while IP encapsulation is used forinter-subnet messages.

The AP receiving the Measurement Request Message schedules the actualmeasurements.

In the case that the Measurement Request Message includes a schedule forone or more clients, the AP translates the Measurement Request Messageinto a measurement request for each client. In one embodiment, themeasurement communication between the APs and clients uses MAC framesthat conform to a modification of the IEEE 802.11 standard MAC protocolwe call the AP-to-client Measurement MAC Protocol herein. TheAP-to-client Measurement MAC Protocol includes IEEE 802.11 standardframes, some of which are modified to include additional informationthat may be used by one or more embodiments of the invention. Anystandard type MAC frames that conform to the AP-to-client MeasurementMAC Protocol include an indication of such conformity. For example, anassociation request frame includes an element that indicated whether ornot the station supports radio management including the ability to carryout and report the client measurements described herein. A beacon frameand a probe frame that conform to the AP-to-client Measurement MACProtocol may include the transmit power of the AP transmitting theframe.

A frame we call the Measurement Request Frame from the AP requests anactive or passive scan by a client at a scheduled scan time with areport at a scheduled reporting time. A frame we call the MeasurementReport Frame from the client provides a report in response to aMeasurement Request Frame. The Report frame includes the MAC address ofthe station providing the report, the identifier from the correspondingMeasurement Request Frame, and one or more measurement elements.

An AP receiving a Measurement Request Message periodically sends aMeasurement Report Message that includes reports from each stationperforming a measurement. The report part for each station includes thetype of station performing the measurement (AP, client, and so forth),the MAC of the measuring station, and the actual measurement data.Aspects of this invention use reports of beacons and probe responsesreceived at a station that in one embodiment includes the receivedsignal strength (RSSI), e.g., in dBm, the channel, the measurementduration, the BSSID, and other information in the beacon/probe responseand of the station receiving the beacon/probe response.

Locating Client Stations

One aspect of the invention is a method to determine the location of aclient station that receives signals from managed APs whose location isknown. Another aspect of the invention, described below, is a method tolocate a potential rogue AP whose beacons or probe responses arereceived by one or more managed APs and/or one or more clients of one ormore managed APs. In either case, the approximate location, e.g., to thenearest floor of a building is assumed known. For example, one aspect fthe invention assumes a station receiving beacon or probe response froma managed AP is within radio range of the managed AP whose location isknown. Similarly, in the case of rogue AP detection, when a beacon orprobe response from a potential rogue AP is received by a managed AP ora client of a managed AP (a managed client), and the location of themanaged AP is known, then the approximate location of the potentialrogue AP is known, e.g., to within radio range of the managed AP in thecase the managed AP received the beacon or probe response, or doublethat range in the case of a managed client receiving the beacon or proberequest, assuming a client and AP have approximately the same range.

Thus the method, implemented in the WLAN manager, assumes a model of theregion where the unknown location exists, e.g., a floor of a building.The locations of any managed APs in the overall region also are knownand provided to the method.

In one embodiment, the overall area of interest, e.g., a floor of abuilding, is divided into small area elements. In one embodiment, theseare hexagonal regions, and in another, they are small rectangularregions. The description herein uses 10 ft by 10 ft square regions.

One embodiment of the invention builds a user interface that includesthe locations of known access points in the area of interest. FIG. 3Ashows one user interface 300 that includes a graphic overlay 303 of agrid of area elements, in this embodiment each a small square (10 ft by10 ft) region. User interface 300 includes a graphic representationindicating the location of three managed APs, shown as AP1 (305), AP2(307) and AP3 (309).

FIG. 3B shows another user interface 350 that includes in addition tothe graphic overlay 303 of the grid and the representation indicatingthe location of the managed APs 305, 307, and 309, a graphic overlay 311representing the architectural structure, e.g., as an architectural planof the interior, e.g., the floor of the building. Another user interface(not illustrated) shows the graphic representation of the floorarchitecture, but no grid.

Thus, the user of the WLAN manager can view the location of the APs on atwo-dimensional screen. In one embodiment, the WLAN manager may includesoftware that provides an interactive mechanism for the user to placeaccess points, e.g., by pointing to and dragging AP icons on the 2-Doverlay 350 of the floor.

FIG. 4 shows a flowchart of one embodiment 400 of a method to determinethe location of a client station that receives signals from managed APswhose location is known. Step 403 shows the step of maintaining an APdatabase of information on a set of managed APs, including the locationsof the APs, e.g., in two-dimensions on a floor of a building, andparameters used by the APs, including the transmit powers of beacons andprobe responses. For example, in the case of managed APs, the WLANmanager may include setting the transmit power of beacons and proberesponses.

The method 400 includes a step 407 of providing a mechanism fordetermining the path loss as a function of distance assuming noobstacles. We call this an ideal path loss model. The ideal path lossmodel may be a formula or an algorithm or a lookup table, or some othermechanism for determining the path loss assuming no obstructions.

In one embodiment, the ideal path loss model determines the ideal pathloss in a logarithmic scale such as dB as a linear function of thedistance between the transmitting station and receiving station. In aparticular embodiment, the following formula is used as the ideal pathloss model to provide the path loss in dB, denoted PL_(ideal), from afirst transmitting station to a receiving station at a location adistance d meters away from the first transmitting station:PL _(ideal)(d)=37+35 log d,

or if expressed as a path gain in dB denoted G_(ideal),G _(ideal)(d)=−37−35 log d.

Other embodiments may use slightly different values for the constants ofthe linear relationship.

Because there are obstructions such as walls, bathrooms, etc., in thebuilding, the ideal path loss model typically underestimates the pathloss. One aspect of the invention includes a step 407 of receivingmeasurements at the WLAN manager measuring the path loss between a setof managed APs in the area of interest that can hear each other. Thestep of measuring includes a transmitting managed AP, e.g., one of themanaged APs' transmitting a beacon or probe response. Each of the othermanaged APs; is instructed by the AP manager to listen for thetransmitted beacons or probe responses from the transmitting AP. Reportsfrom these listening APs received at the WLAN manager include thereceived signal strength. The WLAN manager uses the received signalstrength together with the known transmitting power to determine themeasured path loss from the transmitting managed AP to each receivingmanaged AP.

The ideal path loss model provides the ideal path loss between any twomanaged APs that can hear each other. For each transmitting managed AP,the measurements at each receiving managed AP provide an adjustmentfactor to the ideal path loss predicted by the ideal path loss model.

As an example, consider FIG. 5 that shows an area of interest andconsider three managed APs, AP1 (305), AP2 (307), and AP3 (309) atlocations A, B, and C, respectively. Note that FIG. 5 is not necessarilyto scale, and the numbers used in the example are for illustrativepurposes only. Consider the case of AP1 (305) transmitting. Supposeaccording the ideal path loss model, there should be, say 77 dB of pathloss between AP1 and AP2. Suppose that because there are one or moreobstructions between AP1 and AP2, when the method 400 measures the pathloss from AP1 to AP2, e.g., by the WLAN manager knowing the powertransmitted by AP1 and measuring the RSSI accurately, e.g., in dBm, atAP2 when receiving a signal from AP1, the method 400 measures a pathloss of 82 dB from AP1 and AP2. The method 400 concludes that a stationat location B (location of AP2 307) receiving a signal from location Asuffers a path loss that needs to be adjusted by +5 dB—i.e., the gainadjusted by −5 dB—from what the ideal path loss model predicts.

Similarly, suppose the ideal path loss model predicts that there wouldbe a path loss of 75 dB when transmitting at location A to the locationC of AP3. Suppose further that the measured path loss is 82 dB. Thus,the method 400 concludes that a station at location C (location of AP33097) receiving a signal from location A suffers a path loss that needsto be adjusted by +7 dB—i.e., the gain adjusted by −7 dB—from what theideal path loss model predicts.

The measurements may be repeated by AP2 207 transmitting, with themeasured path loss compared to the path loss according to the ideal pathloss model to obtain an adjustment factor at locations A and C fortransmissions by AP2 307 at location B. The measurements may also berepeated by AP3 309 transmitting to obtain an adjustment factor atlocations A and B for transmissions by AP3 309 at location C. Similarly,adjustment factors may be obtained for each of the managed APs in thearea of interest transmitting.

Thus, step 407 includes, for each transmitting managed AP, compare theideal path loss to the measured path loss for the known locations wherethere are stations, e.g., receiving managed APs to provide a sparse setof adjustment factors. Such adjustment factors may, e.g., account forstructural differences in the area from what the mathematical modelassumes, e.g., free air propagation, without requiring knowledge of theactual structure of the building. Measuring the path loss includes, foreach managed access point, transmitting from the access point at a knowntransmit power, and obtaining measurements of the RSSI at the stationsat known locations, e.g., the other managed access points to obtain themeasured path loss from the transmitting access point to the otherstations at known locations. The adjustment factor is the differencebetween the measured path loss and the path loss predicted by the idealpath loss model.

In a step 409, the method 400 determines the calibrated path loss factorat each of the area elements. In one embodiment, step 409 uses thesparse set of adjustment factors obtained by measurement received at theWLAN manager to determine the adjustment factor at each of the areaelements. For each transmitting managed AP, for each area element, asecond mathematical model may be used to predict the path loss from thetransmitter to the area element. For example, an assumption that pathloss varies as the inverse square of the distance may be assumed.

According to one embodiment of step 409, the adjustment factor between aknown location and an unknown location is determined as a weighted sumof path losses between the known location and a sparse set of otherknown locations. For example, for a particular transmitting managed AP,for any unknown location denoted L_(x), the path loss adjustment,denoted A_(x), from the transmitter to the unknown location L_(x) giventhe adjustment factors from the transmitter to a set of known locationsL₁, L₂, . . . , L_(N), for a number denoted N of known locations wherewe have path loss measurements, is a weighted sum of the known/measuredadjustment factors, where the weighting is monotonic with the inverse ofthe distance. In one embodiment, the weighting is proportional to theinverse square of the distance.

Let A_(i) be the known adjustment factor, in dB of the path losspredicted by the mathematical model from transmitter to the i'th knownreceiver location L_(i), i=1, . . . , N,. In one embodiment, theadjustment factor A_(x) apply at the unknown location L_(x), denotedA_(x), in dB, to what the mathematical model predicts is the weightedsum given by the following equation:

$A_{x} = {\frac{\sum\limits_{i = 1}^{N}\;{A_{i}/d_{i}^{2}}}{\sum\limits_{i = 1}^{N}\;{1/d_{i}^{2}}}.}$

The process is repeated for each managed AP that may transmit and fromwhich path loss measurements are available or may be obtained. Thus, foreach area element, step 409 provides the adjustment factor for receivingfrom each known transmitter location, e.g., from each managed AP. Theideal path loss model provides the “ideal” path loss to or from eachknown transmitter location to each location. Thus, step 409 equivalentlyprovides, for each area element, the calibrated path loss, denotedPL_(C) and equal to the ideal path loss adjusted by the adjustmentfactor from each known transmitter location (managed AP location) in thearea of interest to each location, i.e., to each area element.

We call the set of adjustment factors, or equivalently, the set ofcalibrated path losses for each transmitting station at each locationthe calibrated path loss model. This model may be expressed as a gain,as an adjustment factor, as a path loss, or as a method, e.g., formulaor algorithm, for determining any of these quantities. The calibratedpath loss model may be expressed as a vector, called the calibrated pathloss vector. Each component of the calibrated path loss vector is thecalibrated path loss from a particular known transmitting location,e.g., from a managed AP. There is such a calibrated path loss vector foreach area element.

In a step 411, a wireless station at an unknown location receivessignals from the managed APs in the area of interest. In one embodiment,the signals received from the managed APs are beacons or proberesponses. The transmission from some of the APs may be received andsome from others not be detected by the receiving station. Oneembodiment includes the receiving station providing the received signalstrength and other received signal information, e.g., the identity ofthe transmitting AP, to the WLAN manager wherein, according to oneembodiment, the method 400 is implemented, and the WLAN managerreceiving this information. Because each managed AP is known to the WLANmanager and transmits e.g., transmits beacons and probe responses at aknown transmit power, step 411 includes determining the measured pathloss from each transmitting AP whose transmissions are received to thereceiving station. Thus, step 411 provides what we call a measured pathloss vector, with each vector component being the measured path loss forthe same transmitter as the corresponding component of the calibratedpath loss vector. There are thus some empty components in the measuredpath loss vector corresponding to transmitters whose transmissions areundetected at the receiving station.

The remaining steps of the method 400 use the measured path obtainedusing measurements received from the receveing station between thereceiving station and each transmitting station and compare the measuredpath loss with the calibrated path loss, e.g., with the components ofthe calibrated path loss vector to determine the likely location of thereceiving station.

Consider again FIG. 5 and consider AP1 305 transmitting, and thetransmissions received by a receiving station at an unknown location.Suppose the path loss from location A of AP1 to the receiving station ismeasured at 77 dB. According to the ideal path loss model, the likelydistance is d_(x). However, depending on the direction, this distance isknown to be too large because there are obstructions that cause the pathloss to be more than predicted by the model. For example, along the line511 on FIG. 5, suppose a station at an unknown location receives asignal from AP1 that shows a path loss 75 dB. The model predicts thelocation, assumed here to be along line 511, to be D1 (513). However,because the calibrated path loss model predicts that at location D(505), the adjustment factor is 5 dB and the ideal path loss predictedby the ideal path loss model is 70 dB, i.e., the calibrated path lossvector component for transmitter AP1 is 75 dB, the method 400 wouldinfer that the previously unknown location of the station is near Drather than near D1 to the closest area element, e.g., 10 ft by 10 ftsquare region.

Another aspect of the invention is the use of likelihood functionsaround locations that the calibrated path loss model predicts. Considera receiver at some unknown location. Step 411 provides the calibratedpath loss for each AP. Consider first the components of the measured andcalibrated path loss vector for transmitter at known locations whosetransmissions are detected by the receiving station. For each location,i.e., for each area element, or equivalently, for each calibrated pathloss, a likelihood function we call the inclusive likelihood functionprovides the likelihood at any location, e.g., at an area element, thatthe transmission from a nearby transmitter, e.g., a nearby managed APcould have been received at the location with the measured path loss,i.e., would have a particular calibrated and measured path loss from thetransmitter. For any AP whose transmissions are received, the inclusivelikelihood function may be expressed as a function of the differencebetween the calibrated path loss for each location and the measured pathloss. It is maximum where the measured path loss is equal to thecalibrated path loss. Thus, in a step 413, using the inclusivelikelihood function, the locations predicted by the calibrated path lossmodel are made fuzzy. For each transmitting AP detected, the locationpredicted by the calibrated path loss model is the most likely locationand nearby locations are less likely the further the location is fromthe most likely location predicted by the calibrated path loss model.

FIG. 6A shows the inclusive likelihood function used in one embodimentof the invention. Note this likelihood function is asymmetric round thepeak likelihood. Other likelihood functions also may be used indifferent embodiments, e.g., symmetric likelihood functions, likelihoodfunctions that are Gaussian shaped (symmetric or asymmetric), raisedcosine curve shaped (symmetric or asymmetric), and so forth.

There therefore is a likelihood at each location as a result oftransmitting by each managed AP that the station detects. Step 413includes determining the overall inclusive likelihood as a result of astation receiving transmissions from managed APs as the product of allthe inclusive likelihood components due to the individual detected APtransmissions.

Step 417 determines the overall likelihood of a measured path lossvector occurring in a particular area element as the product of alllikelihood components.

Step 419 includes normalizing the product of the likelihood componentsto a common maximum and displaying the overall likelihood to the user ofthe WLAN manager on a user interface. One embodiment shows thenormalized likelihood as a colored contour overlay.

Consider, for example, FIG. 7 that shows the user interface of FIG. 3Bthat includes a graphic overlay 311 of the architectural structure ofthe area of interest, a graphic overlay 303 of rectangular grid of thearea of interest, and a graphic overlay of showing the location of themanaged APs. FIG. 7 shows a user interface display that includes thelocation contour (shown as area elements shaded differently) derivedusing the inclusive likelihood components. In this example, a clientstation at location 705 (upper wall toward the left) detected AP1 andAP2. Note that the physical location algorithm has no way to decidewhether the client lies within the upper or lower colored area elements.

Because there may be managed APs that the WLAN manager knows aretransmitting, but that are not received at the receiving station, oneembodiment includes step 415 of using an exclusive likelihood functionfor each nearby AP that is not detected at the receiving station. Eachreceiving station has receive sensitivity, e.g., as specified by thevariant of the IEEE 802.11 standard the receiver conforms to. Thus, inone embodiment, in the case of the failure to detect a knowntransmission at a known signal power, the station that fails to detectis assumed to receive at a particular signal strength, e.g., thespecified receive sensitivity of the receiver of the station. In oneembodiment, the receiver sensitivity is 87 dBm, i.e., the receivershould be able to detect at −87 dBm, i.e., with a path loss of 87 dB ifthe transmitter was transmitting at 1 mW. We assume that the receivedsignal strength at the receiver sensitivity for a receiver not detectinga transmission. We denote the resulting measured path loss PL_(S). Forany AP not detected, the exclusive likelihood decreases as calibratedpath loss becomes less than the assumed measured path loss PL_(S), e.g.,as the location becomes closer to an AP that was not detected. In oneembodiment, the exclusive likelihood that the calibrated path loss islarger than the assumed measured path loss PL_(S) is 1. Becausecalibrated path loss for any transmitting AP is a function of location,the exclusive likelihood component computes the likelihood that a nearbytransmitter, e.g., a nearly transmitting managed AP could go undetectedat the area element.

FIG. 6B shows one embodiment of an exclusive likelihood function. Inother embodiments, the decrease in the likelihood need not be linearwith the amount in dB with which the calibrated path loss is lower thanthe assumed measured path loss PL_(S). For example, in otherembodiments, a half-Gaussian or a half raised cosine curve may be used.

When both inclusive and exclusive likelihood functions are used, step417 determines the overall likelihood of a measured path loss vectoroccurring in a particular area element as the product of all inclusiveand exclusive likelihood components.

FIG. 8 shows the location contour derived using both inclusive andexclusive components and displayed (step 419) on the user interface ofFIG. 3B. Again, the client station at Location 705 detected AP1 and AP2.The difference in this example, however, from that of FIG. 7 is that thelikelihood function uses the fact that the client station did not detectAP3. The exclusive likelihood component from AP3 reduces the overalllikelihood that the client lies between AP1 and AP3, leaving the muchhigher likelihood that it lies within the upper area element of FIG. 8.

Locating Rogue APs

Another aspect of the invention is a method of locating potential rogueAPs. Potential rogue APs may be detected by managed APs and by managedclient stations. See above-mentioned concurrently filed U.S. ProvisionalPatent Application Ser. No. 60/490,847 titled “A METHOD, APPARATUS, ANDSOFTWARE PRODUCT FOR DETECTING ROGUE ACCESS POINTS IN A WIRELESSNETWORK,” incorporated herein by reference and called the “RogueDetection Invention” herein, for how passive and/or active scanningleads to the WLAN manager identifying potential rogue APs using beaconsand/or probe responses detected by the passive or active scanning andreported back to the WLAN manager.

According to one variant of the Rogue Detection Invention, the WLANmanager receives reports from a managed AP of any transmissions ofbeacons or probe responses received at the AP that were transmitted by apotential rogue AP. According to another variant of the Rogue DetectionInvention, the WLAN manager receives reports from a managed AP of anytransmissions of beacons or probe responses received at one or moreclients of the managed AP that were transmitted by a potential rogue AP.The WLAN manager uses the reports to determine, e.g., by looking up theWLAN database, to determine if the potential rogue station is likely tobe a rogue. The approximate location of the rogue, e.g., to within anarea of interest such as a floor of a building, is determined fromknowledge of the location of the managed APs receiving the beacons orprobe responses, or from the inferred knowledge of the location of themanaged clients receiving the beacons or probe responses.

Part of the information received at the WLAN manager is the RSSI at thestation receiving the beacon or probe response from the potential rogueAP. These received signal strengths are used, according to an aspect ofthe present invention, to further locate the potential rogue AP.

In the method 400 described above and in FIG. 4 for detecting thelocation of a receiving clients, the signals received and reported tothe WLAN manager are from transmitters whose transmitting power andlocation are known. Rogue APs transmit at a power level that is unknown.

One embodiment of the method for determining the location of a potentialrogue AP determines the likely locations, e.g., the likelihoods as afunction of location by displaying likelihood contours for a set oftransmit powers. The set of transmit powers include the likely transmitpowers.

FIG. 9 shows one embodiment 900 of the method of locating a potentialrogue access point using signals—beacons or probe responses—received atone or more managed access points whose location is known. Step 903includes locating the area of interest for the rogue and includes steps403, 405, 407, and 409 of maintaining an AP database of managed APs andtheir locations and transmit powers, providing an ideal path loss model,receiving measurements to determine the path loss between the managedAPs in order to calibrate the ideal path loss model to obtain acalibrated path loss model of the area of interest for each potentialmanaged AP that might receive a transmission from the potential rogueAP. While in method 400, the calibrated path loss model was used fortransmitting from APs to a receiver at an unknown location, in method900, the calibrated path loss model is used for determining the locationof a transmitting station—the potential rogue AP—whose signals arereceived (or not) at the managed APs at the known locations. Thus acalibrated path loss vector is obtained, with each component of thevector corresponding to a managed AP.

Steps 911 through 917 of method 900 locate the potential rogue for anassumed transmit power level. In one embodiment, steps 911 through 917are repeated for each transmit power level of the set of transmit powersassumed for the potential rogue AP.

In a step 911, for each managed AP that detects the transmissions, e.g.,beacons/probe responses from the potential rogue AP, measurements arereported to the WLAN manager and the WLAN manager determines themeasured path loss based on the assumed transmit power for the rogue andthe RSSI at the receiving managed AP. Thus a measured path loss vectoris determined, with each component corresponding to one of the managedAPs at which a beacon or probe response was received from the potentialrogue.

In a step 915, for each managed AP that detects the transmissions, e.g.,beacons/probe responses from the potential rogue AP, and at eachlocation, e.g., each area element, the inclusive likelihood componentcorresponding to that managed AP is determined using the measured andcalibrated path losses.

In a step 917, in one embodiment, for each managed AP in the area ofinterest that fails to detect transmissions, e.g., beacons/proberesponses from the potential rogue AP, and at each location, e.g., eacharea element, the exclusive likelihood component corresponding to thatmanaged AP is determined using the assumed measured path loss vector(assuming receiver fails to receive at the limit of the receiversensitivity) and calibrated path losses.

In a step 917, the inclusive and exclusive likelihood components aremultiplied and the overall likelihood normalized.

Thus, the repetitions of steps 911 through steps 917 provide a set ofoverall likelihoods for each assumed transmit power level for thepotential rogue.

In a step 921, the results of the rogue location are displayed to theuser on a user interface. Different embodiments display the results indifferent ways. In one embodiment, the WLAN manager displays thelocation contours for each assumed transmit power level individually,either one per single display screen, or as a set of displays on asingle screen. In another embodiment, the location contours for theassumed transmit power levels are displayed collectively. The collectivecontour is equivalent to the union of multiple location contours acrossa range of power levels, saving the highest likelihood value in eachpredefined area element.

FIGS. 10A, 10B, and 10C show three displays of the results of method 900for a rogue AP 1005 transmitting at a transmit power of 5 mW for a setof three assumed rogue transmit powers: 2 mW, 5 mW, and 20 mW,respectively. The transmitting AP is detected by AP1 and AP2, but notAP3. The three figures show three respective individual locationcontours generated under the assumptions that the rogue transmits ateach respective power of the three assumed transmit powers. Withoutknowing the transmit power, the collective contour (not shown) wouldappear no larger than the overlay of the individual contours for eachpower level, and possibly much smaller. The reason is that the processof normalizing one individual contour may boost a moderately likely“best” area element into the most likely zone of its display, while thesame process may not need to boost an already highly likely “best” areaelement of another individual contour to the display's most likely(shown here as the darkest) zone. Since the collective case isnormalized after the union of individual contours, the moderately likely“best” area element of the moderately likely contour would beovershadowed by the highly likely “best” contour. The collective mostlikely zone would resemble the darkest most likely zone of the highlylikely “best” contour and show little or no emphasis in moderatelylikely “best” contour.

The method 900 describes one embodiment of determining rogue locationcontours on signals detected by managed APs.

Rogue APs may not always be detected by managed APs. Thus one embodimentalso uses signals from potential rogue APs, e.g., beacons and proberesponses detected at managed clients of one or more managed APs. FIG.11 shows a flow chart of a method 100 that uses client detection frompotential rogue stations. Step 1103 is, as described above, maintainingthe AP database and the calibrated path loss model for each managed AP.In a step 1105, the RSSI from the potential rogue AP is measured at aset of detecting managed APs and additionally one or more clientstations of managed APs and reported to the WLAN manager. The WLANmanager receives the measurements. In a step 1107, the method 1100predicts the location of one or more managed clients using the method400 (FIG. 4) described herein. In one embodiment, this client locationstep is carried out at least for each managed client station thatdetects the rogue AP's beacon or probe response. In another embodiment,all the managed clients that are associated with managed APs in the areaof interest are located. The most likely client location (overalllikelihood) is assumed to be the client location using both inclusiveand exclusive likelihood components. Step 1107 also includes addingcomponents to the calibrated path loss model for the clients located instep 1107, e.g., the clients detecting signals from the potential rogueAP.

The method now proceeds in the same manner as method 900, but now usingboth APs whose location is known and clients whose location isdetermined by step 1107. Thus, steps 1111, 1113, 1115, and 1117 arerepeated for each of a set of assumed transmit powers for a potentialrogue A. For each power level: step 1111 reports measurements to theWLAN manager that receives the reports and determines the measured pathloss for each managed AP and managed client detecting a signal (beaconor probe response) from the potential rogue AP; step 1113 obtains theinclusive likelihood component using the measured and calibrated pathloss component corresponding to each managed AP and managed clientdetecting a signal (beacon or probe response) from the potential rogueAP; step 1115 obtains the exclusive likelihood component using theassumed measured path loss component (assuming the receiver just failsto receive at the limit of receiver sensitivity) and the calibrated pathloss component corresponding to each managed AP and managed client notdetecting a signal from the potential rogue AP; and step 1117 determinesoverall likelihood and normalizes this overall likelihood measure. Step1121 displays the results to the user/operator of the WLAN manager.

Note that while the determining of the calibrated path loss modeldescribed above uses measurements between each of a set of managedaccess points of a managed wireless network, the method in generalincludes receiving at the WLAN manager measurements measuring thereceived signal strengths at each respective wireless station of a firstset of wireless stations of a wireless network for signals received as aresult of transmissions by each wireless station of a second set ofwireless stations of the wireless network. The locations of each stationof the first and second set are known. The method includes calibratingthe ideal path loss model using the received measurements obtained bythe measuring step to determine a calibrated path loss model fortransmission by each of the second set of wireless stations. The firstand second sets, however, need not be identical. Each transmission by arespective station of the second set is at a known respective transmitpower. In the embodiment described herein, the first and second sets areidentical, and are the set of managed access points in the area ofinterest.

Note that in the above description, the calibrated path loss modelprovides the path loss for a set of locations for transmission by eachof the second set of wireless stations, or for reception at each of thesecond set of wireless stations for transmissions from each location.Those in the art will understand that the calibrated path loss may beexpressed as a path loss, gain, as an adjustment factor, as a formulafor determining the path loss, gain, or adjustment factor, or as analgorithm, a set of processing instructions, or a method of determiningthe path loss, gain, or adjustment factor. The term calibrated path lossmodel is meant to include all these variations.

One embodiment of each of the methods described herein is in the form ofa computer program that executes on a processing system, e.g., one ormore processors that are part of the WLAN manager 103. Thus, as will beappreciated by those skilled in the art, embodiments of the presentinvention may be embodied as a method, an apparatus such as a specialpurpose apparatus, an apparatus such as a data processing system, or acarrier medium, e.g., a computer program product. The carrier mediumcarries one or more computer readable code segments for controlling aprocessing system to implement a method. Accordingly, aspects of thepresent invention may take the form of a method, an entirely hardwareembodiment, an entirely software embodiment or an embodiment combiningsoftware and hardware aspects. Furthermore, the present invention maytake the form of carrier medium (e.g., a computer program product on acomputer-readable storage medium) carrying computer-readable programcode segments embodied in the medium. Any suitable computer readablemedium may be used including a magnetic storage device such as adiskette or a hard disk, or an optical storage device such as a CD-ROM.

It will be understood that the steps of methods discussed are performedin one embodiment by an appropriate processor (or processors) of aprocessing (i.e., computer) system executing instructions (codesegments) stored in storage. It will also be understood that theinvention is not limited to any particular implementation or programmingtechnique and that the invention may be implemented using anyappropriate techniques for implementing the functionality describedherein. The invention is not limited to any particular programminglanguage or operating system.

Reference throughout this specification to “one embodiment” or “anembodiment” means that a particular feature, structure or characteristicdescribed in connection with the embodiment is included in at least oneembodiment of the present invention. Thus, appearances of the phrases“in one embodiment” or “in an embodiment” in various places throughoutthis specification are not necessarily all referring to the sameembodiment. Furthermore, the particular features, structures orcharacteristics may be combined in any suitable manner, as would beapparent to one of ordinary skill in the art from this disclosure, inone or more embodiments.

Similarly, it should be appreciated that in the above description ofexemplary embodiments of the invention, various features of theinvention are sometimes grouped together in a single embodiment, figure,or description thereof for the purpose of streamlining the disclosureand aiding in the understanding of one or more of the various inventiveaspects. This method of disclosure, however, is not to be interpreted asreflecting an intention that the claimed invention requires morefeatures than are expressly recited in each claim. Rather, as thefollowing claims reflect, inventive aspects lie in less than allfeatures of a single foregoing disclosed embodiment. Thus, the claimsfollowing the Detailed Description are hereby expressly incorporatedinto this Detailed Description, with each claim standing on its own as aseparate embodiment of this invention.

It should be appreciated that although the invention has been describedin the context of the IEEE 802.11 standard, the invention is not limitedto such contexts and may be utilized in various wireless networkapplications and systems, for example in a network that conforms to astandard other than IEEE 802.11. Furthermore, the invention is notlimited to any one type of architecture or protocol, and thus, may beutilized in conjunction with one or a combination of otherarchitectures/protocols. For example, the invention may be embodied inwireless networks conforming to other standards and for otherapplications, including other WLAN standards, bluetooth, GSM, PHS, CDMA,and other cellular wireless telephony standards.

While embodiments described above use an assumed measured path losscomponent assuming the received signal strength is at the limit of thereceiver sensitivity for the receiver just failing to detect thetransmission, alternate embodiments use different assumed measured pathloss components, e.g., a signal strength higher by a selected amountthan the receiver sensitivity.

All publications, patents, and patent applications cited herein arehereby incorporated by reference.

Thus, while there has been described what is believed to be thepreferred embodiments of the invention, those skilled in the art willrecognize that other and further modifications may be made theretowithout departing from the spirit of the invention, and it is intendedto claim all such changes and modifications as fall within the scope ofthe invention. For example, any formulas given above are merelyrepresentative of procedures that may be used. Functionality may beadded or deleted from the block diagrams and operations may beinterchanged among functional blocks. Steps may be added or deleted tomethods described within the scope of the present invention.

1. A method comprising: accepting a radio loss model applicable to anarea of interest; accepting data indicative of path losses between pairsof wireless stations of a first set of wireless stations; calibratingthe path loss model using the accepted data to obtain a calibrated pathloss model; causing respective transmissions at known respectivetransmit powers from at least some of the stations of the set ofwireless stations; receiving measurements from a particular wirelessstation of unknown location, the measurements indicative of the receivedsignal strengths at the particular wireless station resulting from thecaused respective transmissions; and determining the likely location orlocations of the particular wireless station using the receivedmeasurements and the calibrated path loss model.
 2. A method as recitedin claim 1, wherein the first set of wireless stations is a set ofmanaged access points of a managed wireless network, the managed accesspoints being at known locations, the method further comprising:measuring the path loss between pairs of managed access points of theset of managed access points.
 3. A method as recited in claim 2, whereinthe wireless network substantially conforms to the IEEE 802.11 standard.4. A method as recited in claim 2, wherein the determining of the likelylocation or locations includes determining a set of likelihoodcomponents for each of a set of locations, each component correspondingto a respective managed access point whose transmissions are listenedfor at the particular station, and determining an overall likelihood foreach of the set of locations as the product of the likelihoodcomponents.
 5. A method as recited in claim 4, wherein the determiningof the likely location or locations includes, for each managed accesspoint whose transmitted signal is detected at the particular station,determining an inclusive likelihood component as a function of locationusing the measured path loss and calibrated path loss for thetransmission from the respective managed access point to the particularwireless station, such that each inclusive likelihood component providesan indication of the likelihood at any location that the transmissionfrom the access point whose transmission is detected could have beenreceived at the location with the measured path loss.
 6. A method asrecited in claim 5, wherein the determining of the likely location orlocations includes, for each managed access point whose transmittedsignal is not detected at the particular station, determining anexclusive likelihood component as a function of location, such that eachexclusive likelihood component provides an indication of the likelihoodat any location that the transmission from the access point whosetransmission is not detected could have been received at the locationwith an assumed signal strength for the transmitted power.
 7. A methodas recited in claim 1, wherein the calibrating includes comparing thepath loss to the measured path loss for the known locations of thetransmitting and receiving wireless stations to provide a sparse set ofadjustment factors between a sparse set of known locations.
 8. A methodas recited in claim 7, wherein the adjustment factor between a knownlocation and an unknown location is determined as a weighted sum of pathlosses between the known location and a sparse set of other knownlocations.
 9. A tangible computer-readable storage medium configuredwith instructions that when executed by one or more processors cause atleast one of the processors to implement a method comprising: acceptinga radio path loss model applicable to an area of interest; calibratingthe path loss model using measurements received from each respectivewireless station of a first set of wireless stations of a wirelessnetwork measuring the received signal strengths at each of therespective wireless stations, the stations receiving signals as a resultof transmissions by respective wireless stations of a second set ofwireless stations of the wireless network, each respective transmissionat a known respective transmit power, the locations of each station ofthe first and second set being known or determined, the calibratingbeing to determine a calibrated path loss model between the receivingand transmitting wireless stations; receiving measurements from eachrespective station of a third set of wireless stations of the wirelessnetwork measuring the received signal strength at each of the respectivestations resulting from transmission of a signal from a potential rogueaccess point, each station of the third set being at a known ordetermined location; and for each of a set of assumed transmit powersfor the potential rogue access point, determining the likely location orlocations of the potential rogue access point using the received signalstrengths at the stations of the third set and the calibrated path lossmodel.
 10. A tangible computer-readable storage medium as recited inclaim 9, wherein the first set and the second set of stations includethe same set of managed access points of a managed wireless network suchthat the calibration of the path loss model includes the receiving ofmeasurements measuring the path loss between each of the set of managedaccess points and such that the calibrated path loss model provides acalibrated path loss at each location of the area of interest betweeneach transmitting managed AP and each receiving managed AP.
 11. Atangible computer-readable storage medium as recited in claim 10,wherein the third set of wireless stations includes managed accesspoints of the set of access points of the wireless network.
 12. Atangible computer-readable storage medium as recited in claim 10,wherein the third set of wireless stations includes wireless clients ofat least one managed access point of the wireless network, the methodfurther including determining the location of each client by aradiolocation method including: receiving measurements measuring thereceived signal strengths at the wireless client resulting fromrespective transmissions from at least some of the managed accesspoints, said each of the respective transmissions being at a knowncorresponding transmit power; and determining the likely location of thewireless client using the received signal strengths and the calibratedpath loss model.
 13. A tangible computer-readable storage medium asrecited in claim 10, wherein the wireless network substantially conformsto the IEEE 802.11 standard.
 14. A tangible computer-readable storagemedium as recited in claim 10, wherein the determining of the likelylocation or locations includes: determining a set of likelihoodcomponents for each of a set of locations, each component correspondingto a respective managed access point whose transmissions are listenedfor at the particular station, and determining an overall likelihood foreach of the set of locations as the product of the likelihoodcomponents.
 15. A tangible computer-readable storage medium as recitedin claim 14, wherein the determining of the likely location or locationsincludes, for each managed access point whose transmitted signal isdetected at the particular station, determining an inclusive likelihoodcomponent as a function of location using the measured path loss andcalibrated path loss for the transmission from the respective managedaccess point to the particular wireless station, such that eachinclusive likelihood component provides an indication of the likelihoodat any location that the transmission from the access point whosetransmission is detected could have been received at the location withthe measured path loss.
 16. A tangible computer-readable storage mediumas recited in claim 15, wherein the determining of the likely locationor locations includes, for each managed access point whose transmittedsignal is not detected at the particular station, determining anexclusive likelihood component as a function of location, such that eachexclusive likelihood component provides an indication of the likelihoodat any location that the transmission from the access point whosetransmission is not detected could have been received at the locationwith an assumed signal strength for the assumed transmitted power.
 17. Atangible computer-readable storage medium as recited in claim 14,wherein the method further comprises: displaying the overall likelihoodto the user on a user interface showing the area of interest.
 18. Atangible computer-readable storage medium as recited in claim 9, whereinthe calibrating includes comparing the path loss to the measured pathloss for the known locations of the transmitting and receiving stationsto provide a sparse set of adjustment factors between a sparse set ofknown locations.
 19. A tangible computer-readable storage medium asrecited in claim 18, wherein the adjustment factor between a knownlocation and an unknown location is determined as a weighted sum of pathlosses between the known location and a sparse set of other knownlocations.
 20. A tangible computer-readable storage medium configuredwith one or more code segments to instruct one or more processors of aprocessing system to execute a method comprising: accepting a radio pathloss model applicable to an area of interest; accepting data indicativeof path losses between pairs of wireless stations of a first set ofwireless stations, the data provided by measuring the path loss betweenpairs of the first set of wireless stations, the wireless stations beingat known or determined locations in the area of interest; calibratingthe accepted path loss model using the accepted data to determine acalibrated path loss model between the receiving and transmittingwireless stations_(i) causing respective transmissions at knownrespective transmit powers from at least some of the stations of thefirst set of wireless stations; receiving measurements from a particularwireless station of unknown location, the measurements indicative of thereceived signal strengths at the particular wireless station resultingfrom the caused respective transmissions; and determining the likelylocation or locations of the particular wireless station using thereceived measurements and the calibrated path loss model.
 21. Anapparatus comprising: a processing system including a memory and anetwork interface to couple the apparatus to a network including a setof wireless stations of a wireless network at known or determinedlocations, the processing system to: accept a radio path loss modelapplicable to an area of interest; instruct each of the wirelessstations at known or determined locations in the area of interest tomeasure and report the received signal strengths as a result oftransmissions by respective other wireless stations of the set, eachrespective transmission at a known respective transmit power; receivethe reports of the measurements from the instructed wireless stations;calibrate the path loss model to determine a calibrated path loss modelbetween the receiving and transmitting wireless stations; receive from aparticular wireless station of unknown location the received signalstrengths resulting from respective transmissions from at least some ofthe wireless stations in the area of interest, said each of therespective transmissions being at a known corresponding transmit power;and determine the likely location or locations of the particularwireless station using the received signal strengths at the particularwireless station and the calibrated path loss model.
 22. A methodcomprising: accepting a radio path loss model; calibrating the path lossmodel in an area of interest using path loss determined frommeasurements between wireless stations of a wireless network, thewireless stations at known locations, the measurements received fromsome of the wireless stations measuring their received signal strengthsresulting from respective transmissions from respective wirelessstations, each respective transmission at a known respective transmitpower, the calibrating being to determine a calibrated path loss modelbetween the wireless stations; determining the measured path lossbetween a particular wireless station of unknown location and at leastsome of the wireless stations by receiving measurements from theparticular wireless station, wherein in the case the wireless station ofunknown location is known not to be a rogue access point, thedetermining uses measurements received from the particular wirelessstation of unknown location measuring the received signal strength as aresult of respective transmissions from at least some of the wirelessstations, said each of the respective transmissions being at a knownrespective transmit power, and wherein, in the case the wireless stationof unknown location is a potential rogue access point, the determininguses measurements received from each of at least some of the wirelessstations measuring the received signal strength at each of the wirelessstations resulting from transmission of a signal from the potentialrogue access point for each of a set of assumed transmit powers for thepotential rogue access point; and determining the likely location orlocations of the particular wireless station of unknown location usingthe measured path loss and the calibrated path loss model.
 23. Anapparatus comprising: means for accepting a path loss model applicableto an area of interest; means for accepting data indicative of pathlosses between pairs of wireless stations of a first set of wirelessstations; means for calibrating the path loss model using the accepteddata to obtain a calibrated path loss model; means for causingrespective transmissions at known respective transmit powers from atleast some of the stations of the set of wireless stations; means forreceiving measurements from a particular wireless station of unknownlocation, the measurements indicative of the received signal strengthsat the particular wireless station resulting from the caused respectivetransmissions; and means for determining the likely location orlocations of the particular wireless station using the receivedmeasurements and the calibrated path loss model.
 24. An apparatus asrecited in claim 23, wherein the first set of wireless stations is a setof managed access points of a managed wireless network, the managedaccess points being at known locations, the apparatus furthercomprising: means for measuring the path loss between pairs of managedaccess points of the set of managed access points.
 25. An apparatus asrecited in claim 24, wherein the wireless network substantially conformsto the IEEE 802.11 standard.